eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
1
352
10.4230/LIPIcs.ITC.2020
article
LIPIcs, Volume 163, ITC 2020, Complete Volume
Tauman Kalai, Yael
1
Smith, Adam D.
2
Wichs, Daniel
3
4
Microsoft Research New England, Cambridge, MA, USA
Boston University, MA, USA
Northeastern University, Boston, MA, USA
NTT Research, Boston, MA, USA
LIPIcs, Volume 163, ITC 2020, Complete Volume
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020/LIPIcs.ITC.2020.pdf
LIPIcs, Volume 163, ITC 2020, Complete Volume
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
0:i
0:xiv
10.4230/LIPIcs.ITC.2020.0
article
Front Matter, Table of Contents, Preface, Conference Organization
Tauman Kalai, Yael
1
Smith, Adam D.
2
Wichs, Daniel
3
4
Microsoft Research New England, Cambridge, MA, USA
Boston University, MA, USA
Northeastern University, Boston, MA, USA
NTT Research, Boston, MA, USA
Front Matter, Table of Contents, Preface, Conference Organization
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.0/LIPIcs.ITC.2020.0.pdf
Front Matter
Table of Contents
Preface
Conference Organization
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
1:1
1:14
10.4230/LIPIcs.ITC.2020.1
article
Separating Local & Shuffled Differential Privacy via Histograms
Balcer, Victor
1
Cheu, Albert
2
School of Engineering & Applied Sciences, Harvard University, Cambridge, MA, United States
Khoury College of Computer Sciences, Northeastern University, Boston, MA, United States
Recent work in differential privacy has highlighted the shuffled model as a promising avenue to compute accurate statistics while keeping raw data in users' hands. We present a protocol in this model that estimates histograms with error independent of the domain size. This implies an arbitrarily large gap in sample complexity between the shuffled and local models. On the other hand, we show that the models are equivalent when we impose the constraints of pure differential privacy and single-message randomizers.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.1/LIPIcs.ITC.2020.1.pdf
Differential Privacy
Distributed Protocols
Histograms
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
2:1
2:16
10.4230/LIPIcs.ITC.2020.2
article
d-Multiplicative Secret Sharing for Multipartite Adversary Structures
Eriguchi, Reo
1
Kunihiro, Noboru
2
Graduate School of Information Science and Technology, The University of Tokyo, Japan
Department of Computer Science, University of Tsukuba, Japan
Secret sharing schemes are said to be d-multiplicative if the i-th shares of any d secrets s^(j), j∈[d] can be converted into an additive share of the product ∏_{j∈[d]}s^(j). d-Multiplicative secret sharing is a central building block of multiparty computation protocols with minimum number of rounds which are unconditionally secure against possibly non-threshold adversaries. It is known that d-multiplicative secret sharing is possible if and only if no d forbidden subsets covers the set of all the n players or, equivalently, it is private with respect to an adversary structure of type Q_d. However, the only known method to achieve d-multiplicativity for any adversary structure of type Q_d is based on CNF secret sharing schemes, which are not efficient in general in that the information ratios are exponential in n.
In this paper, we explicitly construct a d-multiplicative secret sharing scheme for any 𝓁-partite adversary structure of type Q_d whose information ratio is O(n^{𝓁+1}). Our schemes are applicable to the class of all the 𝓁-partite adversary structures, which is much wider than that of the threshold ones. Furthermore, our schemes achieve information ratios which are polynomial in n if 𝓁 is constant and hence are more efficient than CNF schemes. In addition, based on the standard embedding of 𝓁-partite adversary structures into ℝ^𝓁, we introduce a class of 𝓁-partite adversary structures of type Q_d with good geometric properties and show that there exist more efficient d-multiplicative secret sharing schemes for adversary structures in that family than the above general construction. The family of adversary structures is a natural generalization of that of the threshold ones and includes some adversary structures which arise in real-world scenarios.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.2/LIPIcs.ITC.2020.2.pdf
Secret sharing scheme
multiplicative secret sharing scheme
multipartite adversary structure
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
3:1
3:23
10.4230/LIPIcs.ITC.2020.3
article
Efficient MPC with a Mixed Adversary
Hirt, Martin
1
Mularczyk, Marta
1
ETH Zurich, Switzerland
Over the past 20 years, the efficiency of secure multi-party protocols has been greatly improved. While the seminal protocols from the late 80’s require a communication of Ω(n⁶) field elements per multiplication among n parties, recent protocols offer linear communication complexity. This means that each party needs to communicate a constant number of field elements per multiplication, independent of n.
However, these efficient protocols only offer active security, which implies that at most t<n/3 (perfect security), respectively t<n/2 (statistical or computational security) parties may be corrupted. Higher corruption thresholds (i.e., t≥ n/2) can only be achieved with degraded security (unfair abort), where one single corrupted party can prevent honest parties from learning their outputs.
The aforementioned upper bounds (t<n/3 and t<n/2) have been circumvented by considering mixed adversaries (Fitzi et al., Crypto' 98), i.e., adversaries that corrupt, at the same time, some parties actively, some parties passively, and some parties in the fail-stop manner. It is possible, for example, to achieve perfect security even if 2/3 of the parties are faulty (three quarters of which may abort in the middle of the protocol, and a quarter may even arbitrarily misbehave). This setting is much better suited to many applications, where the crash of a party is more likely than a coordinated active attack.
Surprisingly, since the presentation of the feasibility result for the mixed setting, no progress has been made in terms of efficiency: the state-of-the-art protocol still requires a communication of Ω(n⁶) field elements per multiplication.
In this paper, we present a perfectly-secure MPC protocol for the mixed setting with essentially the same efficiency as the best MPC protocols for the active-only setting. For the first time, this allows to tolerate faulty majorities, while still providing optimal efficiency. As a special case, this also results in the first fully-secure MPC protocol secure against any number of crashing parties, with optimal (i.e., linear in n) communication. We provide simulation-based proofs of our construction.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.3/LIPIcs.ITC.2020.3.pdf
Multi-party Computation
Communication Cost
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
4:1
4:18
10.4230/LIPIcs.ITC.2020.4
article
Practical Relativistic Zero-Knowledge for NP
Crépeau, Claude
1
Massenet, Arnaud Y.
2
Salvail, Louis
3
Stinchcombe, Lucas Shigeru
4
Yang, Nan
5
6
School of Computer Science, McGill University, Montréal, Québec, Canada
École Normale Supérieure Paris-Saclay, Gif-sur-Yvette, France
Département d'Informatique et de R.O., Université de Montréal, Montréal, Québec, Canada
Bloomberg L.P., Tokyo, Japan
Canadian Centre for Cyber Security, Ottawa, Ontario, Canada
Concordia University, Montréal, Québec, Canada
In a Multi-Prover environment, how little spatial separation is sufficient to assert the validity of an NP statement in Perfect Zero-Knowledge ? We exhibit a set of two novel Zero-Knowledge protocols for the 3-COLorability problem that use two (local) provers or three (entangled) provers and only require exchanging one edge and two bits with two trits per prover. This greatly improves the ability to prove Zero-Knowledge statements on very short distances with very basic communication gear.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.4/LIPIcs.ITC.2020.4.pdf
Multi-Prover Interactive Proofs
Relativistic Commitments
3-COLorability
Quantum Entanglement
Non-Locality
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
5:1
5:24
10.4230/LIPIcs.ITC.2020.5
article
Use Your Brain! Arithmetic 3PC for Any Modulus with Active Security
Eerikson, Hendrik
1
Keller, Marcel
2
Orlandi, Claudio
3
Pullonen, Pille
1
Puura, Joonas
4
Simkin, Mark
3
Cybernetica AS, Tartu, Estonia
CSIRO’s Data61, Eveleigh, Australia
Department of Computer Science, DIGIT, Aarhus University, Denmark
Institute of Computer Science, University of Tartu, Estonia
Secure multiparty computation (MPC) allows a set of mutually distrustful parties to compute a public function on their private inputs without revealing anything beyond the output of the computation. This paper focuses on the specific case of actively secure three-party computation with an honest majority. In particular, we are interested in solutions which allow to evaluate arithmetic circuits over real-world CPU word sizes, like 32- and 64-bit words. Our starting point is the novel compiler of Damgård et al. from CRYPTO 2018. First, we present an improved version of it which reduces the online communication complexity by a factor of 2. Next, we replace their preprocessing protocol (with arithmetic modulo a large prime) with a more efficient preprocessing which only performs arithmetic modulo powers of two. Finally, we present a novel "postprocessing" check which replaces the preprocessing phase. These protocols offer different efficiency tradeoffs and can therefore outperform each other in different deployment settings. We demonstrate this with benchmarks in a LAN and different WAN settings. Concretely, we achieve a throughput of 1 million 64-bit multiplications per second with parties located in different continents and 3 million in one location.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.5/LIPIcs.ITC.2020.5.pdf
Secure Multiparty Computation
Information Theoretic Security
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
6:1
6:10
10.4230/LIPIcs.ITC.2020.6
article
Expander Graphs Are Non-Malleable Codes
Rasmussen, Peter Michael Reichstein
1
Sahai, Amit
2
Basic Algorithms Research Copenhagen, University of Copenhagen, Denmark
UCLA, Los Angeles, CA, USA
Any d-regular graph on n vertices with spectral expansion λ satisfying n = Ω(d³log(d)/λ) yields a O((λ^{3/2})/d)-non-malleable code for single-bit messages in the split-state model.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.6/LIPIcs.ITC.2020.6.pdf
Non-Malleable Code
Expander Graph
Mixing Lemma
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
7:1
7:24
10.4230/LIPIcs.ITC.2020.7
article
Leakage-Resilient Secret Sharing in Non-Compartmentalized Models
Lin, Fuchun
1
Cheraghchi, Mahdi
2
https://orcid.org/0000-0001-8957-0306
Guruswami, Venkatesan
3
Safavi-Naini, Reihaneh
4
Wang, Huaxiong
5
Department of Electrical and Electronic Engineering, Imperial College London, UK
EECS Department, University of Michigan, Ann Arbor, MI, USA
Computer Science Department, Carnegie Mellon University, Pittsburgh, PA, USA
Department of Computer Science, University of Calgary, CA
Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, SG
Leakage-resilient secret sharing has mostly been studied in the compartmentalized models, where a leakage oracle can arbitrarily leak bounded number of bits from all shares, provided that the oracle only has access to a bounded number of shares when the leakage is taking place. We start a systematic study of leakage-resilient secret sharing against global leakage, where the leakage oracle can access the full set of shares simultaneously, but the access is restricted to a special class of leakage functions. More concretely, the adversary can corrupt several players and obtain their shares, as well as applying a leakage function from a specific class to the full share vector. We explicitly construct such leakage-resilient secret sharing with respect to affine leakage functions and low-degree multi-variate polynomial leakage functions, respectively. For affine leakage functions, we obtain schemes with threshold access structure that are leakage-resilient as long as there is a substantial difference between the total amount of information obtained by the adversary, through corrupting individual players and leaking from the full share vector, and the amount that the reconstruction algorithm requires for reconstructing the secret. Furthermore, if we assume the adversary is non-adaptive, we can even make the secret length asymptotically equal to the difference, as the share length grows. Specifically, we have a threshold scheme with parameters similar to Shamir’s scheme and is leakage-resilient against affine leakage. For multi-variate polynomial leakage functions with degree bigger than one, our constructions here only yield ramp schemes that are leakage-resilient against such leakage. Finally, as a result of independent interest, we show that our approach to leakage-resilient secret sharing also yields a competitive scheme compared with the state-of-the-art construction in the compartmentalized models.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.7/LIPIcs.ITC.2020.7.pdf
Leakage-resilient cryptography
Secret sharing scheme
Randomness extractor
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
8:1
8:15
10.4230/LIPIcs.ITC.2020.8
article
Lower Bounds for Function Inversion with Quantum Advice
Chung, Kai-Min
1
Liao, Tai-Ning
2
Qian, Luowen
3
Academia Sinica, Taipei, Taiwan
National Taiwan University, Taipei, Taiwan
Boston University, MA, USA
Function inversion is the problem that given a random function f: [M] → [N], we want to find pre-image of any image f^{-1}(y) in time T. In this work, we revisit this problem under the preprocessing model where we can compute some auxiliary information or advice of size S that only depends on f but not on y. It is a well-studied problem in the classical settings, however, it is not clear how quantum algorithms can solve this task any better besides invoking Grover’s algorithm [Grover, 1996], which does not leverage the power of preprocessing.
Nayebi et al. [Nayebi et al., 2015] proved a lower bound ST² ≥ ̃Ω(N) for quantum algorithms inverting permutations, however, they only consider algorithms with classical advice. Hhan et al. [Minki Hhan et al., 2019] subsequently extended this lower bound to fully quantum algorithms for inverting permutations. In this work, we give the same asymptotic lower bound to fully quantum algorithms for inverting functions for fully quantum algorithms under the regime where M = O(N).
In order to prove these bounds, we generalize the notion of quantum random access code, originally introduced by Ambainis et al. [Ambainis et al., 1999], to the setting where we are given a list of (not necessarily independent) random variables, and we wish to compress them into a variable-length encoding such that we can retrieve a random element just using the encoding with high probability. As our main technical contribution, we give a nearly tight lower bound (for a wide parameter range) for this generalized notion of quantum random access codes, which may be of independent interest.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.8/LIPIcs.ITC.2020.8.pdf
Cryptanalysis
Data Structures
Quantum Query Complexity
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
9:1
9:25
10.4230/LIPIcs.ITC.2020.9
article
Out-Of-Band Authenticated Group Key Exchange: From Strong Authentication to Immediate Key Delivery
Naor, Moni
1
Rotem, Lior
2
Segev, Gil
2
Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100, Israel
School of Computer Science and Engineering, Hebrew University of Jerusalem, Jerusalem 91904, Israel
Given the inherent ad-hoc nature of popular communication platforms, out-of-band authenticated key-exchange protocols are becoming widely deployed: Key exchange protocols that enable users to detect man-in-the-middle attacks by manually authenticating one short value. In this work we put forward the notion of immediate key delivery for such protocols, requiring that even if some users participate in the protocol but do not complete it (e.g., due to losing data connectivity or to other common synchronicity issues), then the remaining users should still agree on a shared secret. A property of a similar flavor was introduced by Alwen, Coretti and Dodis (EUROCRYPT '19) asking for immediate decryption of messages in user-to-user messaging while assuming that a shared secret has already been established - but the underlying issue is crucial already during the initial key exchange and goes far beyond the context of messaging.
Equipped with our immediate key delivery property, we formalize strong notions of security for out-of-band authenticated group key exchange, and demonstrate that the existing protocols either do not satisfy our notions of security or are impractical (these include, in particular, the protocols deployed by Telegram, Signal and WhatsApp). Then, based on the existence of any passively-secure key-exchange protocol (e.g., the Diffie-Hellman protocol), we construct an out-of-band authenticated group key-exchange protocol satisfying our notions of security. Our protocol is inspired by techniques that have been developed in the context of fair string sampling in order to minimize the effect of adversarial aborts, and offers the optimal tradeoff between the length of its out-of-band value and its security.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.9/LIPIcs.ITC.2020.9.pdf
End-to-end encryption
out-of-band authentication
key exchange
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
10:1
10:23
10.4230/LIPIcs.ITC.2020.10
article
Hardness vs. (Very Little) Structure in Cryptography: A Multi-Prover Interactive Proofs Perspective
Segev, Gil
1
Shahaf, Ido
1
School of Computer Science and Engineering, Hebrew University of Jerusalem, Jerusalem, Israel
The hardness of highly-structured computational problems gives rise to a variety of public-key primitives. On one hand, the structure exhibited by such problems underlies the basic functionality of public-key primitives, but on the other hand it may endanger public-key cryptography in its entirety via potential algorithmic advances. This subtle interplay initiated a fundamental line of research on whether structure is inherently necessary for cryptography, starting with Rudich’s early work (PhD Thesis '88) and recently leading to that of Bitansky, Degwekar and Vaikuntanathan (CRYPTO '17).
Identifying the structure of computational problems with their corresponding complexity classes, Bitansky et al. proved that a variety of public-key primitives (e.g., public-key encryption, oblivious transfer and even functional encryption) cannot be used in a black-box manner to construct either any hard language that has NP-verifiers both for the language itself and for its complement, or any hard language (and even promise problem) that has a statistical zero-knowledge proof system - corresponding to hardness in the structured classes NP ∩ coNP or SZK, respectively, from a black-box perspective.
In this work we prove that the same variety of public-key primitives do not inherently require even very little structure in a black-box manner: We prove that they do not imply any hard language that has multi-prover interactive proof systems both for the language and for its complement - corresponding to hardness in the class MIP ∩ coMIP from a black-box perspective. Conceptually, given that MIP = NEXP, our result rules out languages with very little structure.
Already the cases of languages that have IP or AM proof systems both for the language itself and for its complement, which we rule out as immediate corollaries, lead to intriguing insights. For the case of IP, where our result can be circumvented using non-black-box techniques, we reveal a gap between black-box and non-black-box techniques. For the case of AM, where circumventing our result via non-black-box techniques would be a major development, we both strengthen and unify the proofs of Bitansky et al. for languages that have NP-verifiers both for the language itself and for its complement and for languages that have a statistical zero-knowledge proof system.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.10/LIPIcs.ITC.2020.10.pdf
Hardness vs. Structure
Black-box Constructions
Interactive Proofs
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
11:1
11:23
10.4230/LIPIcs.ITC.2020.11
article
Oblivious Parallel Tight Compaction
Asharov, Gilad
1
Komargodski, Ilan
2
Lin, Wei-Kai
3
Peserico, Enoch
4
Shi, Elaine
3
Bar-Ilan University, Ramat-Gan, Israel
NTT Research, East Palo Alto, CA, USA
Cornell University, Ithaca, NY, USA
Università degli Studi di Padova, Italy
In tight compaction one is given an array of balls some of which are marked 0 and the rest are marked 1. The output of the procedure is an array that contains all of the original balls except that now the 0-balls appear before the 1-balls. In other words, tight compaction is equivalent to sorting the array according to 1-bit keys (not necessarily maintaining order within same-key balls). Tight compaction is not only an important algorithmic task by itself, but its oblivious version has also played a key role in recent constructions of oblivious RAM compilers.
We present an oblivious deterministic algorithm for tight compaction such that for input arrays of n balls requires O(n) total work and O(log n) depth. Our algorithm is in the Exclusive-Read-Exclusive-Write Parallel-RAM model (i.e., EREW PRAM, the most restrictive PRAM model), and importantly we achieve asymptotical optimality in both total work and depth. To the best of our knowledge no earlier work, even when allowing randomization, can achieve optimality in both total work and depth.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.11/LIPIcs.ITC.2020.11.pdf
Oblivious tight compaction
parallel oblivious RAM
EREW PRAM
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
12:1
12:21
10.4230/LIPIcs.ITC.2020.12
article
On Polynomial Secret Sharing Schemes
Paskin-Cherniavsky, Anat
1
Artiom, Radune
1
2
Ariel University, Ariél, Israel
The Open University, Raanana, Israel
Nearly all secret sharing schemes studied so far are linear or multi-linear schemes. Although these schemes allow to implement any monotone access structure, the share complexity, SC, may be suboptimal - there are access structures for which the gap between the best known lower bounds and best known multi-linear schemes is exponential.
There is growing evidence in the literature, that non-linear schemes can improve share complexity for some access structures, with the work of Beimel and Ishai (CCC '01) being among the first to demonstrate it. This motivates further study of non linear schemes.
We initiate a systematic study of polynomial secret sharing schemes (PSSS), where shares are (multi-variate) polynomials of secret and randomness vectors ~s,~r respectively over some finite field 𝔽_q. Our main hope is that the algebraic structure of polynomials would help obtain better lower bounds than those known for the general secret sharing. Some of the initial results we prove in this work are as follows.
On share complexity of polynomial schemes. First we study degree (at most) 1 in randomness variables ~r (where the degree of secret variables is unlimited). We have shown that for a large subclass of these schemes, there exist equivalent multi-linear schemes with O(n) share complexity overhead. Namely, PSSS where every polynomial misses monomials of exact degree c≥ 2 in ~s and 0 in ~r, and PSSS where all polynomials miss monomials of exact degree ≥ 1 in ~s and 1 in ~r. This translates the known lower bound of Ω(n^{log(n)}) for multi linear schemes onto a class of schemes strictly larger than multi linear schemes, to contrast with the best Ω(n²/log(n)) bound known for general schemes, with no progress since 94'. An observation in the positive direction we make refers to the share complexity (per bit) of multi linear schemes (polynomial schemes of total degree 1). We observe that the scheme by Liu et. al obtaining share complexity O(2^{0.994n}) can be transformed into a multi-linear scheme with similar share complexity per bit, for sufficiently long secrets. For the next natural degree to consider, 2 in ~r, we have shown that PSSS where all share polynomials are of exact degree 2 in ~r (without exact degree 1 in ~r monomials) where 𝔽_q has odd characteristic, can implement only trivial access structures where the minterms consist of single parties.
Obtaining improved lower bounds for degree-2 in ~r PSSS, and even arbitrary degree-1 in ~r PSSS is left as an interesting open question.
On the randomness complexity of polynomial schemes. We prove that for every degree-2 polynomial secret sharing scheme, there exists an equivalent degree-2 scheme with identical share complexity with randomness complexity, RC, bounded by 2^{poly(SC)}. For general PSSS, we obtain a similar bound on RC (preserving SC and 𝔽_q but not degree). So far, bounds on randomness complexity were known only for multi linear schemes, demonstrating that RC ≤ SC is always achievable. Our bounds are not nearly as practical as those for multi-linear schemes, and should be viewed as a proof of concept. If a much better bound for some degree bound d=O(1) is obtained, it would lead directly to super-polynomial counting-based lower bounds for degree-d PSSS over constant-sized fields. Another application of low (say, polynomial) randomness complexity is transforming polynomial schemes with polynomial-sized (in n) algebraic formulas C(~s,~r) for each share, into a degree-3 scheme with only polynomial blowup in share complexity, using standard randomizing polynomials constructions.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.12/LIPIcs.ITC.2020.12.pdf
Secret sharing
polynomial
lower bounds
linear program
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
13:1
13:22
10.4230/LIPIcs.ITC.2020.13
article
One-One Constrained Pseudorandom Functions
Peter, Naty
1
Tsabary, Rotem
2
Wee, Hoeteck
3
Ben-Gurion University of the Negev, Beer-Sheva, Israel
Weizmann Institute of Science, Rehovot, Israel
CNRS, ENS, PSL, Paris, France
We define and study a new cryptographic primitive, named One-One Constrained Pseudorandom Functions. In this model there are two parties, Alice and Bob, that hold a common random string K, where Alice in addition holds a predicate f:[N] → {0,1} and Bob in addition holds an input x ∈ [N]. We then let Alice generate a key K_f based on f and K, and let Bob evaluate a value K_x based on x and K. We consider a third party that sees the values (x,f,K_f) and the goal is to allow her to reconstruct K_x whenever f(x)=1, while keeping K_x pseudorandom whenever f(x)=0. This primitive can be viewed as a relaxation of constrained PRFs, such that there is only a single key query and a single evaluation query.
We focus on the information-theoretic setting, where the one-one cPRF has perfect correctness and perfect security. Our main results are as follows.
1) A Lower Bound. We show that in the information-theoretic setting, any one-one cPRF for punctured predicates is of exponential complexity (and thus the lower bound meets the upper bound that is given by a trivial construction). This stands in contrast with the well known GGM-based punctured PRF from OWF, which is in particular a one-one cPRF. This also implies a similar lower bound for all NC1.
2) New Constructions. On the positive side, we present efficient information-theoretic constructions of one-one cPRFs for a few other predicate families, such as equality predicates, inner-product predicates, and subset predicates. We also show a generic AND composition lemma that preserves complexity.
3) An Amplification to standard cPRF. We show that all of our one-one cPRF constructions can be amplified to a standard (single-key) cPRF via any key-homomorphic PRF that supports linear computations. More generally, we suggest a new framework that we call the double-key model which allows to construct constrained PRFs via key-homomorphic PRFs.
4) Relation to CDS. We show that one-one constrained PRFs imply conditional disclosure of secrets (CDS) protocols. We believe that this simple model can be used to better understand constrained PRFs and related cryptographic primitives, and that further applications of one-one constrained PRFs and our double-key model will be found in the future, in addition to those we show in this paper.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.13/LIPIcs.ITC.2020.13.pdf
Constrained pseudorandom functions
function secret-sharing
conditional disclosure of secrets
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
14:1
14:25
10.4230/LIPIcs.ITC.2020.14
article
The Power of Synergy in Differential Privacy: Combining a Small Curator with Local Randomizers
Beimel, Amos
1
https://orcid.org/0000-0002-6572-4195
Korolova, Aleksandra
2
Nissim, Kobbi
3
https://orcid.org/0000-0002-6632-8645
Sheffet, Or
4
https://orcid.org/0000-0002-5182-0530
Stemmer, Uri
1
5
https://orcid.org/0000-0001-7584-8768
Dept. of Computer Science, Ben-Gurion University, Beer-Sheva, Israel
Dept. of Computer Science, University of Southern California, Los Angeles, CA, USA
Dept. of Computer Science, Georgetown University, Washington, DC, USA
Faculty of Engineering, Bar-Ilan University, Ramat Gan, Israel
Google Research
Motivated by the desire to bridge the utility gap between local and trusted curator models of differential privacy for practical applications, we initiate the theoretical study of a hybrid model introduced by "Blender" [Avent et al., USENIX Security '17], in which differentially private protocols of n agents that work in the local-model are assisted by a differentially private curator that has access to the data of m additional users. We focus on the regime where m ≪ n and study the new capabilities of this (m,n)-hybrid model. We show that, despite the fact that the hybrid model adds no significant new capabilities for the basic task of simple hypothesis-testing, there are many other tasks (under a wide range of parameters) that can be solved in the hybrid model yet cannot be solved either by the curator or by the local-users separately. Moreover, we exhibit additional tasks where at least one round of interaction between the curator and the local-users is necessary - namely, no hybrid model protocol without such interaction can solve these tasks. Taken together, our results show that the combination of the local model with a small curator can become part of a promising toolkit for designing and implementing differential privacy.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.14/LIPIcs.ITC.2020.14.pdf
differential privacy
hybrid model
private learning
local model
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
15:1
15:23
10.4230/LIPIcs.ITC.2020.15
article
Pure Differentially Private Summation from Anonymous Messages
Ghazi, Badih
1
Golowich, Noah
1
2
Kumar, Ravi
1
Manurangsi, Pasin
1
Pagh, Rasmus
1
3
4
Velingker, Ameya
1
Google Research, Mountain View, CA, USA
MIT, Cambridge, MA, USA
IT University of Copenhagen, Denmark
Basic Algorithms Research Copenhagen, Denmark
The shuffled (aka anonymous) model has recently generated significant interest as a candidate distributed privacy framework with trust assumptions better than the central model but with achievable error rates smaller than the local model. In this paper, we study pure differentially private protocols in the shuffled model for summation, a very basic and widely used primitive. Specifically:
- For the binary summation problem where each of n users holds a bit as an input, we give a pure ε-differentially private protocol for estimating the number of ones held by the users up to an absolute error of O_{ε}(1), and where each user sends O_{ε}(log n) one-bit messages. This is the first pure protocol in the shuffled model with error o(√n) for constant values of ε.
Using our binary summation protocol as a building block, we give a pure ε-differentially private protocol that performs summation of real numbers in [0, 1] up to an absolute error of O_{ε}(1), and where each user sends O_{ε}(log³ n) messages each consisting of O(log log n) bits.
- In contrast, we show that for any pure ε-differentially private protocol for binary summation in the shuffled model having absolute error n^{0.5-Ω(1)}, the per user communication has to be at least Ω_{ε}(√{log n}) bits. This implies (i) the first separation between the (bounded-communication) multi-message shuffled model and the central model, and (ii) the first separation between pure and approximate differentially private protocols in the shuffled model. Interestingly, over the course of proving our lower bound, we have to consider (a generalization of) the following question that might be of independent interest: given γ ∈ (0, 1), what is the smallest positive integer m for which there exist two random variables X⁰ and X^1 supported on {0, … , m} such that (i) the total variation distance between X⁰ and X^1 is at least 1 - γ, and (ii) the moment generating functions of X⁰ and X^1 are within a constant factor of each other everywhere? We show that the answer to this question is m = Θ(√{log(1/γ)}).
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.15/LIPIcs.ITC.2020.15.pdf
Pure differential privacy
Shuffled model
Anonymous messages
Summation
Communication bounds
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2020-06-04
163
16:1
16:23
10.4230/LIPIcs.ITC.2020.16
article
On Locally Decodable Codes in Resource Bounded Channels
Blocki, Jeremiah
1
https://orcid.org/0000-0002-5542-4674
Kulkarni, Shubhang
1
https://orcid.org/0000-0002-1670-6011
Zhou, Samson
2
https://orcid.org/0000-0001-8288-5698
Purdue University, West Lafayette, IN, USA
Carnegie Mellon University, Pittsburgh, PA, USA
Constructions of locally decodable codes (LDCs) have one of two undesirable properties: low rate or high locality (polynomial in the length of the message). In settings where the encoder/decoder have already exchanged cryptographic keys and the channel is a probabilistic polynomial time (PPT) algorithm, it is possible to circumvent these barriers and design LDCs with constant rate and small locality. However, the assumption that the encoder/decoder have exchanged cryptographic keys is often prohibitive. We thus consider the problem of designing explicit and efficient LDCs in settings where the channel is slightly more constrained than the encoder/decoder with respect to some resource e.g., space or (sequential) time. Given an explicit function f that the channel cannot compute, we show how the encoder can transmit a random secret key to the local decoder using f(⋅) and a random oracle 𝖧(⋅). We then bootstrap the private key LDC construction of Ostrovsky, Pandey and Sahai (ICALP, 2007), thereby answering an open question posed by Guruswami and Smith (FOCS 2010) of whether such bootstrapping techniques are applicable to LDCs in channel models weaker than just PPT algorithms. Specifically, in the random oracle model we show how to construct explicit constant rate LDCs with locality of polylog in the security parameter against various resource constrained channels.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol163-itc2020/LIPIcs.ITC.2020.16/LIPIcs.ITC.2020.16.pdf
Locally Decodable Codes
Resource Bounded Channels